Some forms of malware use command-and-control (C&C) protocols to manage compromised systems remotely. For example, a botnet is a collection of computers that are remotely managed for a specific purpose. Although the term “botnet” is sometimes used to describe legal, distributed computing systems, the term usually refers to a network of illegally compromised computing systems. Botnets may be used to carry out spam email campaigns or distributed denial-of-service (DDoS) attacks, collect sensitive data, or commit click fraud to manipulate search engine algorithms or increase the advertising value of commercial websites. Botnets typically use a client-server or peer network organization to distribute tasks to be performed by compromised computing systems.
One approach to detecting malware-compromised systems is to detect C&C protocol traffic in a private network. Unfortunately, modern malware systems use custom-designed protocols that may be difficult to identify or understand. Additionally, malware C&C communications are typically encrypted, making detection even more difficult. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for reverse-engineering malware protocols.